- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-25-2022 01:31 AM - edited 01-25-2022 01:33 AM
Hi, Cortex XDR Local Analysis Malware module stops a process called "ClientConsole.exe" (I guess it's a false positive)
I've created a global exception for that issue and checked-in client but XDR still blocks this executable.
In client log I read these rows:
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
2022/01/25T10:17:33.337+01:00 <Info> VALERIANIT [10128:11292 ] {trapsd:Ptu:Heartbeat:Scheduled:} ignoring admin exception for process: 'clientconsole.exe'
Why XDR ignores my exceptions ????
06-10-2022 01:46 PM
Hi Faber,
This may be due to this process not being protected by a module. By default, your exploit security profile protects endpoints from attack techniques that target specific processes. Each exploit protection capability protects a different set of processes that Palo Alto Networks researchers determine are susceptible to attack. If there are no protection modules enabled on the process, no is exception needed. Please reference Processes Protected by Exploit Security Policy (paloaltonetworks.com) for more details.
There are other modules where Process Exceptions will still apply, like Anti-Ransomware Protection, Child Process Protection, but for all Exploit Prevention Modules the process exception makes no difference for an unprotected process.
If you're investigation has determined the process is benign, you can add the hash to the Allow List (*best practice is to whitelist by hash) and allow it to be executed on all your endpoints regardless of the WildFire or local analysis verdict.
In the UI, Go to Incident Response, Response, Action Center, + New Action
Enter the SHA-256 hash of the file and click
You can add up to 100 hashes at once.
Click Next.
Review the summary and click Done.
Reference Manage File Execution (paloaltonetworks.com)
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!